Sounds like my toolset... I've got some questionaires for them to do
beforehand - basically education for the architects- they learn that
if it doesn't come out yes all the way down it will be better if it
was fixed first
. We've also put together a nice business process to show the heads
(ie the ones that pay in this case) that it would be much cheaper to
not design it broken in the first place... :)
But in the end its interview and writeup :)
Cheers
Bret
Now concerning the tools:
- 2 hours meeting with some guys from the business, a developer and
the application
business owner
- I ask questions, they answer them, I take notes
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________
